darkcomet | 554ba8585577dce1573b9b1a43607fed63d70f8cd38e9ab7bf7b8df219453ad1

General

Target

Bloxstrapv281.exe
Size

11.9MB
MD5

0be784b86944b7a9bf441f7a162c5063
SHA1

c9c4b60ceecbecd97ccfbb32a5ace6792b13b87e
SHA256

554ba8585577dce1573b9b1a43607fed63d70f8cd38e9ab7bf7b8df219453ad1
SHA512

f4381fc9164629e93c0e5f459b99831c6b1825640104081a0370136e3d539fbc9bedab89b459b4583aec75ed5352abafbd05fbcdfc8d64819b8f9e2abe4b2086
SSDEEP

98304:o1qZ+pv3Tscod5DFasb/r5vGWD3EOYoHwfLk3vSmaR0+Mc4AN0edaAHDfysrTlGK:o1qZ+pLscVsb/r5vGlObAbN0t

Score

10^/10

darkcomet guest16 discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

saw-shirts.gl.at.ply.gg:4164

Mutex

DC_MUTEX-F54S21D

Attributes

InstallPath
Bloxstrap.exe
gencode
3zEvf95rCogr
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Bloxstrapv281.exeBLOXSTRAP-V2.8.1 (1).EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Bloxstrapv281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	BLOXSTRAP-V2.8.1 (1).EXE

Executes dropped EXE 2 IoCs

Processes:

BLOXSTRAP-V2.8.1 (1).EXEBLOXSTRAP.EXE

pid process

328 BLOXSTRAP-V2.8.1 (1).EXE
3552 BLOXSTRAP.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

BLOXSTRAP.EXE

description pid process target process

PID 3552 set thread context of 1148 3552 BLOXSTRAP.EXE iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
328	BLOXSTRAP-V2.8.1 (1).EXE
3552	BLOXSTRAP.EXE

description	pid	process	target process
PID 3552 set thread context of 1148	3552	BLOXSTRAP.EXE	iexplore.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Bloxstrapv281.exeBLOXSTRAP.EXEiexplore.exenotepad.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bloxstrapv281.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLOXSTRAP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1148 iexplore.exe

pid	process
1148	iexplore.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

BLOXSTRAP.EXEBLOXSTRAP-V2.8.1 (1).EXEiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3552	BLOXSTRAP.EXE
Token: SeSecurityPrivilege	3552	BLOXSTRAP.EXE
Token: SeTakeOwnershipPrivilege	3552	BLOXSTRAP.EXE
Token: SeLoadDriverPrivilege	3552	BLOXSTRAP.EXE
Token: SeSystemProfilePrivilege	3552	BLOXSTRAP.EXE
Token: SeSystemtimePrivilege	3552	BLOXSTRAP.EXE
Token: SeProfSingleProcessPrivilege	3552	BLOXSTRAP.EXE
Token: SeIncBasePriorityPrivilege	3552	BLOXSTRAP.EXE
Token: SeCreatePagefilePrivilege	3552	BLOXSTRAP.EXE
Token: SeBackupPrivilege	3552	BLOXSTRAP.EXE
Token: SeRestorePrivilege	3552	BLOXSTRAP.EXE
Token: SeShutdownPrivilege	3552	BLOXSTRAP.EXE
Token: SeDebugPrivilege	3552	BLOXSTRAP.EXE
Token: SeSystemEnvironmentPrivilege	3552	BLOXSTRAP.EXE
Token: SeChangeNotifyPrivilege	3552	BLOXSTRAP.EXE
Token: SeRemoteShutdownPrivilege	3552	BLOXSTRAP.EXE
Token: SeUndockPrivilege	3552	BLOXSTRAP.EXE
Token: SeManageVolumePrivilege	3552	BLOXSTRAP.EXE
Token: SeImpersonatePrivilege	3552	BLOXSTRAP.EXE
Token: SeCreateGlobalPrivilege	3552	BLOXSTRAP.EXE
Token: 33	3552	BLOXSTRAP.EXE
Token: 34	3552	BLOXSTRAP.EXE
Token: SeDebugPrivilege	328	BLOXSTRAP-V2.8.1 (1).EXE
Token: 35	3552	BLOXSTRAP.EXE
Token: 36	3552	BLOXSTRAP.EXE
Token: SeIncreaseQuotaPrivilege	1148	iexplore.exe
Token: SeSecurityPrivilege	1148	iexplore.exe
Token: SeTakeOwnershipPrivilege	1148	iexplore.exe
Token: SeLoadDriverPrivilege	1148	iexplore.exe
Token: SeSystemProfilePrivilege	1148	iexplore.exe
Token: SeSystemtimePrivilege	1148	iexplore.exe
Token: SeProfSingleProcessPrivilege	1148	iexplore.exe
Token: SeIncBasePriorityPrivilege	1148	iexplore.exe
Token: SeCreatePagefilePrivilege	1148	iexplore.exe
Token: SeBackupPrivilege	1148	iexplore.exe
Token: SeRestorePrivilege	1148	iexplore.exe
Token: SeShutdownPrivilege	1148	iexplore.exe
Token: SeDebugPrivilege	1148	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1148	iexplore.exe
Token: SeChangeNotifyPrivilege	1148	iexplore.exe
Token: SeRemoteShutdownPrivilege	1148	iexplore.exe
Token: SeUndockPrivilege	1148	iexplore.exe
Token: SeManageVolumePrivilege	1148	iexplore.exe
Token: SeImpersonatePrivilege	1148	iexplore.exe
Token: SeCreateGlobalPrivilege	1148	iexplore.exe
Token: 33	1148	iexplore.exe
Token: 34	1148	iexplore.exe
Token: 35	1148	iexplore.exe
Token: 36	1148	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

1148 iexplore.exe

pid	process
1148	iexplore.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Bloxstrapv281.exeBLOXSTRAP.EXEiexplore.exe

description	pid	process	target process
PID 2484 wrote to memory of 328	2484	Bloxstrapv281.exe	BLOXSTRAP-V2.8.1 (1).EXE
PID 2484 wrote to memory of 328	2484	Bloxstrapv281.exe	BLOXSTRAP-V2.8.1 (1).EXE
PID 2484 wrote to memory of 3552	2484	Bloxstrapv281.exe	BLOXSTRAP.EXE
PID 2484 wrote to memory of 3552	2484	Bloxstrapv281.exe	BLOXSTRAP.EXE
PID 2484 wrote to memory of 3552	2484	Bloxstrapv281.exe	BLOXSTRAP.EXE
PID 3552 wrote to memory of 1148	3552	BLOXSTRAP.EXE	iexplore.exe
PID 3552 wrote to memory of 1148	3552	BLOXSTRAP.EXE	iexplore.exe
PID 3552 wrote to memory of 1148	3552	BLOXSTRAP.EXE	iexplore.exe
PID 3552 wrote to memory of 1148	3552	BLOXSTRAP.EXE	iexplore.exe
PID 3552 wrote to memory of 1148	3552	BLOXSTRAP.EXE	iexplore.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe
PID 1148 wrote to memory of 1448	1148	iexplore.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\Bloxstrapv281.exe
"C:\Users\Admin\AppData\Local\Temp\Bloxstrapv281.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\BLOXSTRAP-V2.8.1 (1).EXE
  "C:\Users\Admin\AppData\Local\Temp\BLOXSTRAP-V2.8.1 (1).EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Users\Admin\AppData\Local\Temp\BLOXSTRAP.EXE
  "C:\Users\Admin\AppData\Local\Temp\BLOXSTRAP.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BLOXSTRAP-V2.8.1 (1).EXE

Filesize
11.1MB

MD5
60246a70b28a9d7ef6a2dfe009e48075

SHA1
8dd51b8460307f785690008657918540a8ee4998

SHA256
e9091fa15944a451e792674cf408e400a5e6391cd31160040210b494bd723f17

SHA512
551ffebc64b11e21a234b3ac5a1e103e5cf0ff4fd4d5b71628d0c4215b24fbca946cc7dc14571667214dca86ae9c3327c928b996be456529f84bb2f4a0901e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLOXSTRAP.EXE

Filesize
660KB

MD5
4d734f4366e741c2dcdffeb170b267ff

SHA1
b659aa63fb1799294df03af19a7f3656afbf78ac

SHA256
7035b553d2a0117d081c5d567710d6fc10c7de2b37880502cc1c20613ccc39f2

SHA512
aea127a538d10b9dec114f105728b1c2edeb10b32ab34afc257acdbac65eed82b44dabb35914cd4313b170270f01fd2b120494b76fe656fe8abe9e1b06e84819

Download Submit
memory/328-22-0x00007FF8249EB000-0x00007FF8249EC000-memory.dmp

Filesize
4KB

Download
memory/328-27-0x00007FF8249EB000-0x00007FF8249EC000-memory.dmp

Filesize
4KB

Download
memory/1148-24-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/1448-26-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3552-23-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3552-25-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads